Virus Profile: W32/Bagle.aq@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 8/9/2004
Date Added: 8/9/2004
Origin: Unknown
Length: Varies
Type: Virus
Subtype: E-mail
DAT Required: 4384
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Port 80 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Methods of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @eerswqe
    • @derewrdgrs
    • @microsoft
    • rating@
    • f-secur
    • news
    • update
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    Process Killing

    The downloader trojan contains code to kill processes matching the following list of file names, belonging to other worms and products which could be used to identify or interfere with its actions:

    • FIREWALL.EXE
    • ATUPDATER.EXE
    • winxp.exe
    • sys_xp.exe
    • sysxp.exe
    • LUALL.EXE
    • DRWEBUPW.EXE
    • AUTODOWN.EXE
    • NUPGRADE.EXE
    • OUTPOST.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ESCANH95.EXE
    • AVXQUAR.EXE
    • ESCANHNT.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVXQUAR.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • CFIAUDIT.EXE
    • UPDATE.EXE
    • NUPGRADE.EXE
    • MCUPDATE.EXE

    Downloading

    The downloader component contacts a list of websites to retrieve a JPG file, which is actually saved and run as an EXE file.  There is no image content in the file, only executable content.  Several of the websites listed are not registered or not valid URLs, perhaps in an effort to deceive people as to the true origin of this worm.

  • polobeer.de
  • r2626r.de
  • kooltokyo.ru
  • mmag.ru
  • advm1.gm.fh-koeln.de
  • evadia.ru
  • megion.ru
  • molinero-berlin.de
  • dozenten.f1.fhtw-berlin.de
  • shadkhan.ru
  • sacred.ru
  • kypexin.ru
  • www.gantke-net.com
  • www.mcschnaeppchen.com
  • www.rollenspielzirkel.de
  • 134.102.228.45
  • 196.12.49.27
  • aus-Zeit.com
  • lottery.h11.ru
  • herzog.cs.uni-magdeburg.de
  • yaguark.h10.ru
  • 213.188.129.72
  • thorpedo.us
  • szm.sk
  • lars-s.privat.t-online.de
  • www.no-abi2003.de
  • www.mdmedia.org
  • abi-2004.org
  • sovea.de
  • www.porta.de
  • matzlinger.com
  • pocono.ru
  • controltechniques.ru
  • alexey.pioneers.com.ru
  • momentum.ru
  • omegat.ru
  • www.perfectgirls.net
  • porno-mania.net
  • colleen.ai.net
  • ourcj.com
  • free.bestialityhost.com
  • slavarik.ru
  • burn2k.ipupdater.com
  • carabi.ru
  • spbbook.ru
  • binn.ru
  • sbuilder.ru
  • protek.ru
  • www.PlayGround.ru
  • celine.artics.ru
  • www.artics.ru
  • www.laserbuild.ru
  • www.lamatec.com
  • www.sensi.com
  • www.oldtownradio.com
  • www.youbuynow.com
  • 64.62.172.118
  • www.tayles.com
  • dodgetheatre.com
  • www.thepositivesideofsports.com
  • www.bridesinrussia.com
  • fairy.dataforce.net
  • www.pakwerk.ru
  • home.profootball.ru
  • www.ankil.ru
  • www.ddosers.net
  • tarkosale.net
  • www.boglen.com
  • change.east.ru
  • www.teatr-estrada.ru
  • www.glass-master.ru
  • www.zeiss.ru
  • www.sposob.ru
  • www.glavriba.ru
  • alfinternational.ru
  • euroviolence.com
  • www.webronet.com
  • www.virtmemb.com
  • www.infognt.com
  • www.vivamedia.ru
  • www.zelnet.ru
  • www.dsmedia.ru
  • www.vendex.ru
  • www.elit-line.ru
  • pixel.co.il
  • www.milm.ru
  • dev.tikls.net
  • www.met.pl
  • www.strefa.pl
  • kafka.punkt.pl
  • www.rubikon.pl
  • www.neostrada.pl
  • werel1.web-gratis.net
  • www.tuhart.net
  • www.antykoncepcja.net
  • www.dami.com.pl
  • vip.pnet.pl
  • www.webzdarma.cz
  • emnesty.w.interia.pl
  • niebo.net
  • strony.wp.pl
  • sec.polbox.pl
  • www.phg.pl
  • emnezz.e-mania.pl
  • www.republika.pl
  • www.silesianet.pl
  • www.republika.pl
  • tdi-router.opola.pl
  • republika.pl
  • infokom.pl
  • silesianet.pl
  • terramail.pl
  • silesianet.pl
  • www.iluminati.kicks-ass.net
  • www.dilver.ru
  • www.yarcity.ru
  • www.scli.ru
  • www.elemental.ru
  • diablo.homelinux.com
  • www.interrybflot.ru
  • www.webpark.pl
  • www.rafani.cz
  • gutemine.wu-wien.ac.at
  • przeglad-tygodnik.pl
  • przeglad-tygodnik.pl
  • pb195.slupsk.sdi.tpnet.pl
  • www.ciachoo.pl
  • cavalierland.5u.com
  • www.nefkom.net
  • rausis.latnet.lv
  • www.hgr.de
  • www.airnav.com
  • www.astoria-stuttgart.de
  • ultimate-best-hgh.0my.net
  • wynnsjammer.proboards18.com
  • www.jewishgen.org
  • www.hack-gegen-rechts.com
  • host.wallstreetcity.com
  • quotes.barchart.com
  • www.aannemers-nederland.nl
  • www.sjgreatdeals.com
  • financial.washingtonpost.com
  • www.biratnagarmun.org.np
  • hsr.zhp.org.pl
  • traveldeals.sidestep.com
  • www.hbz-nrw.de
  • www.ifa-guide.co.uk
  • www.inversorlatino.com
  • www.zhp.gdynia.pl
  • host.businessweek.com
  • packages.debian.or.jp
  • www.math.kobe-u.ac.jp
  • www.k2kapital.com
  • www.tanzen-in-sh.de
  • www.wapf.com
  • www.hgrstrailer.com
  • www.forbes.com
  • www.oshweb.com
  • www.rumbgeo.ru
  • www.dicto.ru
  • www.busheron.ru
  • www.omnicom.ru
  • www.teleline.ru
  • www.dynex.ru
  • www.gamma.vyborg.ru
  • nominal.kaliningrad.ru
  • www.baltmatours.com
  • www.interfoodtd.ru
  • www.baltnet.ru
  • www.neprifan.ru
  • photo.gornet.ru
  • www.aktor.ru
  • catalog.zelnet.ru
  • www.sdsauto.ru
  • www.gradinter.ru
  • www.avant.ru
  • www.porsa.ru
  • www.taom-clan.de
  • www.perfectjewel.com
  • www.vrack.net
  • www.netradar.com
  • www.pgipearls.com
  • www.vconsole.net
  • www.ccbootcamp.com
  • host23.ipowerweb.com
  • www.timelessimages.com
  • www.peterstar.ru
  • www.5100.ru
  • www.gin.ru
  • www.rweb.ru
  • www.metacenter.ru
  • www.biysk.ru
  • www.free-time.ru
  • www.rastt.ru
  • www.chelny.ru
  • www.chat4adult.com
  • www.landofcash.net
  • relay.great.ru
  • www.kefaloniaresorts.com
  • www.epski.gr
  • www.myrtoscorp.com
  • www.aphel.de
  • www.intellect.lvc
  • www.abcdesign.ru

    Registry Entry Removal

    In both of the following startup locations

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run

    The following keys for other worms and security products are deleted:

    • "My AV"
    • "Zone Labs Client Ex"
    • "9XHtProtect"
    • "Antivirus"
    • "Special Firewall Service"
    • "service"
    • "Tiny AV"
    • "ICQNet"
    • "HtProtect"
    • "NetDy"
    • "Jammer2nd"
    • "FirewallSvr"
    • "MsInfo"
    • "SysMonXP"
    • "EasyAV"
    • "PandaAVEngine"
    • "Norton Antivirus AV'
    • "KasperskyAVEng"
    • "SkynetsRevenge"
    • "ICQ Net"

    Remote Access Component

    The virus listens on port 80 TCP and a random UDP port for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.

    • Aliases

    HTML_BAGLE.AC (Trend), I-Worm.Bagle.al (AVP), W32.Beagle.AO@mm (Symantec), W32/Bagle-AQ (Sophos), W32/Bagle.AJ@mm (F-Secure), W32/Bagle.AM.worm (Panda), WORM_BAGLE.AC (Trend)
       

    Virus Characteristics

    -- Update August 16, 2004 --
    The assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.
    --

    -- Update August 9, 2004 --
    The HTML file is detected with the 4167 (from Nov. 2001) and higher DATs as JS/IllWill.  The DLL component is detected with 4335 (Mar. 2004) and higher DATs as W32/Bagle.dll.gen.
    --

    If you think that you may be infected with W32/Bagle.aq@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This is a mass-mailing worm which has the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • attachment is a zip file, which contains an EXE and HTML file
    • contains a remote access component (notification is sent to hacker)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

    The worm sends out a ZIP file which contains an HTML and EXE file.  The EXE file is within a folder in the ZIP file so that when it's viewed with Explorer (rather than a stand-alone ZIP file handler like WinZip or PKzip) the HTML file and a separate folder is what is visible. 

    The HTML file contains exploit code which, on vulnerable systems, will automatically run the EXE file which is a downloader trojan.  The downloader trojan then contacts a large number of remote websites to retrieve the virus itself.   

    Mail Propagation

    The virus which is downloaded contains the propagation code. The details are as follows:

    From : (address is spoofed)
    Subject : (blank)

    Body Text:

    • new price

    There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body:

    • The password is
    • Password:

    The password will then be contained in an embedded image file.

    Attachment: (may be one of the following)

    • price.zip
    • price2.zip
    • price_new.zip
    • price_08.zip
    • 08_price.zip
    • newprice.zip
    • new_price.zip
    • new__price.zip

    The ZIP file contains PRICE.EXE and PRICE.HTML, as described above.

    If the ZIP file is opened with Windows Explorer (rather than a stand-alone ZIP handler such as WinZip or PKzip) the HTML file will be visible along with a folder which contains the EXE file.  When the HTML file is run on a vulnerable system, it will run the EXE file.

    When the EXE file is run (either manually or automatically by the HTML file), it will copy itself to the Windows System directory as WINDIRECT.EXE.  For example:

    • C:\WINNT\SYSTEM32\WINdirect.exe

    It also drops a DLL file in this directory:

    • _dll.exe

    The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe.

    The following Registry keys are added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe

    Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE . For example:

    • C:\WINNT\SYSTEM32\windll.exe

    It also creates other files in this directory to perform its functions:

    • C:\WINNT\SYSTEM32\windll.exeopen
    • C:\WINNT\SYSTEM32\windll.exeopenopen

    The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"

    Additionally, the following Registry keys are added:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Ru1n

    A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

    • 'D'r'o'p'p'e'd'S'k'y'N'e't'
    • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
    • [SkyNet.cz]SystemsMutex
    • AdmSkynetJklS003
    • ____--->>>>U<<<<--____
    • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

    The worm opens port 80 (TCP) and a random UDP port on the victim machine.

       

    All Users :
    Use current engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Stinger
    Stinger  has been updated to assist in detecting and repairing this threat.

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
      windll.exe
      windll.exeopen     
      windll.exeopenopen
    3. Edit the registry
      • Delete the "windll.exe" value from
        • HKEY_CURRENT_USER\Software\Microsoft\
          Windows\CurrentVersion\Run
      • Delete the key:
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\
          CurrentVersion\Ru1n
    4. Reboot the system into Default Mode

    McAfee System Compliance Profiler
    Create a rule that matches a file
    - Choose SYSTEM_DIR from the drop-down
    - Type in WINDLL.EXE for the file name
    - Choose "File does not exist" in the next drop-down

    Create a rule that matches a file
    - Choose SYSTEM_DIR from the drop-down
    - Type in WINDLL.EXEOPEN for the file name
    - Choose "File does not exist" in the next drop-down

    Create a rule that matches a file
    - Choose SYSTEM_DIR from the drop-down
    - Type in WINDLL.EXEOPENOPEN for the file name
    - Choose "File does not exist" in the next drop-down

    McAfee Desktop Firewall
    To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 80

    McAfee Threatscan
    ThreatScan signatures that can detect the W32/Bagle.aq virus are available from:

    ThreatScan Signature version: 2004-08-09

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
       -or-
    •  Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:

    • Run the "ThreatScan Template Report"
    • Look for module number #4082